Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2023, 01:28
Behavioral task
behavioral1
Sample
944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
Resource
win10v2004-20231023-en
General
-
Target
944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
-
Size
5.5MB
-
MD5
d7bafb9a979dd8d4398e49874b0658a0
-
SHA1
3bef518b3a2eae1fbc56aa5b464da7476ea7217d
-
SHA256
944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d
-
SHA512
3d6c755d63ab5afbb79161c83a39912270a086cb954ba59b91ad4231a8293c598c2f0d78735c9c2300ff9dcf8653ac0486b68ec4092cec0980b83c0713b619a1
-
SSDEEP
98304:9QqNNOWs0J5jnfZai4UZ0x+SKzHjn5jJujrqjne1uikKmkww91wjbLHbXpoq:9fN4W/rjhBhZ0Pmn5FpjniSI1ULHdN
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation 944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe -
Executes dropped EXE 2 IoCs
pid Process 852 Yloux.exe 1336 {F7519EB7-2DA8-4ee3-AC89-BB60BC2C4E68}.exe -
resource yara_rule behavioral2/memory/4504-1-0x00000000005C0000-0x0000000000E75000-memory.dmp vmprotect behavioral2/memory/4504-3-0x00000000005C0000-0x0000000000E75000-memory.dmp vmprotect behavioral2/memory/4504-33-0x00000000005C0000-0x0000000000E75000-memory.dmp vmprotect behavioral2/memory/4504-196-0x00000000005C0000-0x0000000000E75000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: Yloux.exe File opened (read-only) \??\L: Yloux.exe File opened (read-only) \??\S: Yloux.exe File opened (read-only) \??\V: Yloux.exe File opened (read-only) \??\X: Yloux.exe File opened (read-only) \??\E: Yloux.exe File opened (read-only) \??\G: Yloux.exe File opened (read-only) \??\K: Yloux.exe File opened (read-only) \??\N: Yloux.exe File opened (read-only) \??\R: Yloux.exe File opened (read-only) \??\T: Yloux.exe File opened (read-only) \??\B: Yloux.exe File opened (read-only) \??\J: Yloux.exe File opened (read-only) \??\M: Yloux.exe File opened (read-only) \??\O: Yloux.exe File opened (read-only) \??\U: Yloux.exe File opened (read-only) \??\Z: Yloux.exe File opened (read-only) \??\H: Yloux.exe File opened (read-only) \??\Q: Yloux.exe File opened (read-only) \??\W: Yloux.exe File opened (read-only) \??\Y: Yloux.exe File opened (read-only) \??\P: Yloux.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\Runn\WindowsTask.exe 944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe File created C:\windows\Runn\DuiLib_u.dll 944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe File created C:\windows\Runn\sqlite3.dll 944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe File created C:\windows\Runn\Yloux.exe 944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe File created C:\windows\Runn\1.bin 944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings 944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1700530177" {F7519EB7-2DA8-4ee3-AC89-BB60BC2C4E68}.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4504 944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe 4504 944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe 852 Yloux.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 852 Yloux.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4504 wrote to memory of 852 4504 944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe 94 PID 4504 wrote to memory of 852 4504 944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe"C:\Users\Admin\AppData\Local\Temp\944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:852
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\{F7519EB7-2DA8-4ee3-AC89-BB60BC2C4E68}.exe"C:\Users\Admin\AppData\Local\Temp\{F7519EB7-2DA8-4ee3-AC89-BB60BC2C4E68}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{F3BCAA1F-174B-47e6-898B-FAC132650FA3}"1⤵
- Executes dropped EXE
- Modifies registry class
PID:1336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ff0c7c2667dff4f3ed588f40d047c642
SHA11162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA25602af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3
-
Filesize
608B
MD555d1627bea5addf4296612b436900a61
SHA13f0ea9fb88563c29384eb214412a204f55ca5804
SHA256feb49600defcb05167967c9d27ad90d5b465222f038fd23f18baaadc546c8d65
SHA51282f27ac52a42b91850b9e8df25b3d2ac61618641b23451697251a2236ed097bbc7e2d716a65b523639900c25113482706c89c120deeb1c958eccc3a8915d0df7
-
Filesize
215B
MD55bd3a4f7a0295ff3cc9553d1f8267013
SHA1476727e5c09ae93ad62b57a023bfc8535ec9bd0a
SHA25651c290e1d323f953dd7380d2fc24ac515e0ad7064da29bbcf75bf7ae5430fb65
SHA512cc183cd58d6f7fc74b18e27a40e0814eb56bd5a1774b9cb6ef371eef92a7f3c1645a6bf7f1f59789729138f674b470181d80709aff24f03ff3a86a531e18a284
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
324KB
MD5f64170c793fb8568738cfd1857783a9d
SHA17f1acc4459e99996f025896894d697b7c2f0b84d
SHA2564928635e712fdfd584eb5d25278e42e69eb7ab6c12bc3c1fca95a0f71692c33d
SHA5123059de955d256c098a84e71d04a31e81eeac8c2893971fabe8d4e18f0986241460911f455d00f5693720bc13c0edbe3c421d7f88788bc10027a75cf97a13b218
-
Filesize
324KB
MD5f64170c793fb8568738cfd1857783a9d
SHA17f1acc4459e99996f025896894d697b7c2f0b84d
SHA2564928635e712fdfd584eb5d25278e42e69eb7ab6c12bc3c1fca95a0f71692c33d
SHA5123059de955d256c098a84e71d04a31e81eeac8c2893971fabe8d4e18f0986241460911f455d00f5693720bc13c0edbe3c421d7f88788bc10027a75cf97a13b218
-
Filesize
378KB
MD55a189470b11373b448bace9315c0f6ac
SHA1add6f55b32662ace0599c28230fcc8b0f6f1042f
SHA256f6b365099879bf8eee77206451634992da91e76c69606ccfcbc12a927c02873a
SHA5126f0d8b3ad532bf22045cbb3362355711ce7c6d2a09c5b546572084eda12c0fab31d7fdd1f3ff22d016108f1ca5aa1b4ceefd2e5f904bf4d96cfc3291ac9dc09e
-
Filesize
324KB
MD5f64170c793fb8568738cfd1857783a9d
SHA17f1acc4459e99996f025896894d697b7c2f0b84d
SHA2564928635e712fdfd584eb5d25278e42e69eb7ab6c12bc3c1fca95a0f71692c33d
SHA5123059de955d256c098a84e71d04a31e81eeac8c2893971fabe8d4e18f0986241460911f455d00f5693720bc13c0edbe3c421d7f88788bc10027a75cf97a13b218